Building a Password Cracker in 2024

Naive question: how is brute-force cracking still a thing in real-world systems? Aren’t there time-outs/bans for guessing wrong after like 3-5 guesses? How does one get the opportunity to try millions/billions/etc of times?

I&#x27;m curious if someone could comment on something. If a bunch of strings, let&#x27;s say email address, are concatenated with a single, secret 128bit string, and then the resulting concatenation is hashed. Let&#x27;s say sha256.<p>Is something like this safe against the kind of rigs and attacks being built in 2024?<p>You can assume the hashes are publicly downloadable, but the secret remains secret.<p>EDIT: Thanks for the replies. The use case is that I made a commenting system that accepts submissions via email. However, it&#x27;s only being used by my personal website right now, because I&#x27;m gathering feedback on it. You can see it at <a href="https:&#x2F;&#x2F;r3ply.com" rel="nofollow">https:&#x2F;&#x2F;r3ply.com</a>. Two things to protect are privacy of commentators, and to prevent tampering of the subject line. I had plans to use an HMAC, but right now I just naively sha256(message+pepper).

Hmm, I actually have an old password protected PDF (pass is prolly around ~10 chars, letters+digits) whose password I forgot.<p>Are there legit services offering brute-force cracking? How long would it take, and how much it would it cost?

I just read that Facebook is going to have 600 000 units of Nvidia H100 class GPUs by the end of year. What does that kind of processing power do for password cracking?<p>Think what if NSA could order FB to run their infrastructure for one hour? How long passwords would need to be to still resist this?

I found the comments regarding checking your power supply quite interesting - I guess in Europe with 220V as standard we don&#x27;t really need to worry about it? (Assuming your plugs aren&#x27;t on a lighting ring or something silly like that)

I am curious why they did not go for 4090, as it seems to give more hashes&#x2F;sec&#x2F;dollar

I thought username is max 14 and password is min 22 as it should be.

tl;dr it&#x27;s about building a rig and playing with it, and totally not about any novel password cracking methodologies for 2024 (which are IMO more important that hardware).

Cybersecurity is a large set of security concerns and password strength is only one of them. This is mostly a solved problem and a minor consideration when store the passwords correctly on the backend (<a href="https:&#x2F;&#x2F;cheatsheetseries.owasp.org&#x2F;cheatsheets&#x2F;Password_Storage_Cheat_Sheet.html" rel="nofollow">https:&#x2F;&#x2F;cheatsheetseries.owasp.org&#x2F;cheatsheets&#x2F;Password_Stor...</a>, have reasonable password restrictions (16 characters, no complexity, changes once or twice a year &quot;just in case&quot;), ideally a basic checker when people set their passwords (against a leaked passwords db such as rockyou) and correct identity management (especially disabling an account when the user leaves).<p>There is really nothing exciting in that part of cybersecurity and with the above in place you are safe and can move towards the real risks. Online password cracking does not matter in practical terms and for offline one you have other problems to urgently address.<p>What are these risks depends on who you are but if you address aggressive, stubborn and coercive patching + development security (if you develop) + enthusiastic awareness you are ahead of 99% of the world already.<p>Add to this some endpoint protection and monitoring of the events and, man, you are a company I can trust my HN rep.